The Profound Failure of Congress on Cybersecurity (and Why You Should Care)

On August 2, Congress did it again. They acknowledged the looming threat of cyberwarfare while discussing the Cybersecurity Act of 2012, and then they “kicked the can down the road.” It’s what they do best. The “Party of No” hurt us all on a critically necessary piece of cyber-security legislation, and continued the U.S. Senate’s proud tradition of failing to do anything to deal with our absolute vulnerability to an attack by state-sponsored hackers and terrorists on our critical infrastructure.

We no longer have Cold War problems. It’s hackers, working either for rogue states or terrorist organizations. At some point, they will disrupt not just our military’s computers, which will be bad enough, but also the computers upon which all Americans depend: computers that run our nuclear power plants and electricity grid; computers that deliver our drinking water; computers that manage our hospitals, banks, and every corporation large and small. They will use our own machines against us, but as of yet we have no John Connor.

“(T)he Pentagon has formally recognized cyberspace as a new domain in warfare . . . [which] has become just as critical to military operations as land, sea, air, and space,” William J. Lynn III, the deputy secretary of defense, wrote in a 2010 article for Foreign Affairs magazine.

What’s particularly troubling, experts warn, is the degree to which America’s critical computer infrastructure is decentralized, privatized, unprotected, and vulnerable to attack. It was precisely this problem that the cybersecurity bill was intended solve.

Knocking out even 10 percent of the computers used to control the complicated network of water reservoirs and pipelines that crisscross the Western states would have an immediate, severe impact in giant metropolises including Phoenix, Las Vegas and Los Angeles. Private utility companies like First Energy — which caused the 2003 East Coast blackout, and which came within 60 days of incinerating a large swath of Michigan, Ohio and Pennsylvania in 2002 by allowing acid to eat a football-sized hole in a nuclear reactor lid at its Davis-Besse power plant — face only limited requirements to safeguard their critical computer systems. If this is how major utilities handle basic infrastructure such as power transmission lines and nuclear reactors, just think what unseen dangers lurk in their disparate computer systems.

“The alarm bells sound regularly: cybergeddon; the next Pearl Harbor; one of the greatest existential threats facing the United States,” Preet Bharara, U.S. attorney for the Southern District of New York, wrote in a recent op-ed inThe New York Times. “With increasing frequency, these are the grave terms officials invoke about the menace of cybercrime — and they’re not understating the threat.”

Both parties in Congress agree that the question is not whether this next war will start. It’s when. Yet members of both parties once again blew their best chance to get America ready. Senator Joseph Lieberman, the Independent from Connecticut, literally spent years nursing a cybersecurity bill through Congress. As originally conceived, the bill would have created security standards for computers that run the nation’s critical infrastructure including transportation, water systems and the electrical grid. In addition, it gave the federal government the power to make sure those standards were met.

Lieberman’s first attempt was clearly far from perfect. As my colleague Eduard Goodman, chief privacy officer of Identity Theft 911, sees it, the original bill contained some serious threats to the privacy of American citizens. Particularly troubling were provisions that could have required phone companies and Internet service providers to spy on their customers, and turn over anything that looked suspicious to government surveillance agencies.

According to Goodman, “Companies would potentially be reporting individual citizens to law enforcement without any of the checks and balances we have for traditional surveillance, though in truth, to some degree this already been happening for years.”

That dog don’t hunt. Our Founding Fathers fought and died to preserve and protect our freedom and liberty. Sacrificing freedom in the name of protecting it (sorry, Sheriff Joe) is akin to destroying the village to save it.

That problem could have been resolved, however, by the deliberative process for which Congress was created, but some of our esteemed lawmakers had no desire to make the legislation better. They simply wanted to kill it, but for all the wrong reasons. Conservatives and their financial backers in the Chamber of Commerce didn’t even mention the cybersecurity bill’s looming privacy threats. Rather, they focused on trumped-up allegations that the bill would be a burden to American corporations.

“The chamber believes [the bill] could actually impede U.S. cyber security by shifting businesses’ resources away from implementing robust and effective security measures and toward meeting government mandates,” Bruce Josten, chief lobbyist for the chamber, wrote in a letter to senators.

Shifting resources… Are you kidding me? U.S. Attorney Bharara has remarked on several occasions that he was approached by a board member of a major U.S. Corporation who remarked that cyber security wasn’t even mentioned at meetings. Josten’s argument is utterly bogus. As Joel Brenner, former counsel for the National Security Agency, repeatedly points out, American corporations’ current computer safeguards present a “‘glass house,’ all but transparent to our adversaries.”

But the opponents of the bill weren’t interested in having that inconvenient truth aired. So they deployed their full arsenal of parliamentary tricks to kill the bill. They loaded it down with more than 70 amendments, most of which were highly controversial and had nothing to do with the legislation at hand, including provisions on gun control (don’t get me started) and abortion. This is like the Grasshopper and the Ants parable, but a thousand times worse. While corporate America tries to keep things as Wild West as possible while they loot the American Dream, they seemingly have no regard for the future. But winter is coming.

“We all recognize the problem, that’s really not the issue here,” Mitch McConnell (R – Kentucky), the Senate Minority Leader, said from the Senate floor. “It’s the matter that the majority leader has tried to steamroll a bill.”

This bill is no more a steamroller than a cat on a tricycle. It was many years in the making — there was nothing fast about it. Was it one of the Senate Democrats’ finest moments? Not quite. In an effort to woo sufficient members of McConnell’s rabid right wing to win the supermajority needed to overcome the filibuster, Democrats simply, profoundly caved. They offered to make the bill’s vital security safeguards optional, which in the context of the coming cyberwar is like telling members of the Massachusetts Militia that the Minutemen can show up whenever it’s convenient.

The problem, as most people who are paying attention know, is that our current collection of uneven, random and deficient computer security protocols will fail precisely because they are optional. The Democrats’ last-ditch efforts to save the bill by gutting it might have created some small boost in their efforts to look tough on security issues before the election this fall, but the resulting law would have done little to better protect the American people. In the end we are probably lucky that it failed, having avoided being lulled into a false sense of security.

So what happens next? The Obama administration has some power to require that executive agencies write and enforce a number of the security rules included in Lieberman’s original cybersecurity bill. The administration has hinted that it might use that power, and I hope that it does, despite well-rehearsed and inevitable howls of faux outrage that the President is sidestepping the will of Congress. After all, when the Congress has demonstrated that its will is to leave America’s critical infrastructure flapping in the breeze, the President’s only choice is to act as Commander in Chief to a threat to the nation.

But any moves by the executive branch can only be piecemeal. The White House needs the blessing of Congress before it can require agencies and private companies to share information on threats. That kind of collaboration was exactly what was missing in the years before Sept. 11, and it appears America’s military and intelligence agencies learned that lesson well.

Apparently, the politicians in Congress have not. Through their election-year cowardice, both Democrats and Republicans have colluded to let terrorists and enemy states create a new “Day of Infamy.” Therefore, let’s make November 6, 2012, Election Day, their day of reckoning.